Coexistence, Hybrid, Migration, Federation Flashcards Preview

Exchange 2016 MCSE 70-345 > Coexistence, Hybrid, Migration, Federation > Flashcards

Flashcards in Coexistence, Hybrid, Migration, Federation Deck (57)
Loading flashcards...

What is a Federation Trust?

A relationship established between your Exchange organization and the Microsoft Federation Gateway (MFG), also known as the Azure Active Directory Authentication System (AADAS).

It is used to manage Organization Relationships between Exchange organizations, which enables Federated Sharing, which allows authenticated requests for Calendar free/busy information.


What is this?


Microsoft Federation Gateway

Acts as a trust broker between federated organizations.

Technically, it has been renamed and is now officially known as the Azure Active Directory Authentication System (AADAS). However, MFG may appear on the exam instead.


What does this stand for?


Azure Active Directory Authentication System

The newer name for MFG.


What is Federated Sharing?

Allows for authenticated requests for Calendar information between Exchange Organizations. Also allows Mail Tips and other small features to be shared.

It requires an Organization Relationship being established through a Federated Trust.


How can sharing of Calendar information through Federated Sharing be limited?

When configuring the Organization Relationship, you can choose between sharing:

• No access

• free/busy info with time only

• free/busy info with time, subject, and location


• You can limit sharing to a specified security group, rather than organization-wide

• Individual users can prevent access to their own Calendar information, by removing the "Default" permissions entry on the calendar, or setting it to "No Access."


If you want users to be able to share more details of their calendars, how can you do so?

• Configure a sharing policy for either all domains or the specific domain, which allows sharing of "All calendar appointment information".

• This will work for both federated and non-federated Exchange organizations.

• To share with non-Exchange organizations, allow sharing with specified domain "Anonymous," and users will select the "Publish" calendar option to share it.


What are the requirements for Federated Sharing?

Both organizations must have:

• A federation trust established with the MFG

• an Organization relationship with the other organization

• Autodiscover records in DNS

• Firewalls open for HTTPS requests

• Valid SSL certificates


What kind of certificates does Microsoft recommend for Federation?

Self-signed certificates.

You can use a third-party CA, but it is not necessary.


What is a Sharing Policy?

They control whether individual users can share calendar information with external users, including:

• users in another federated Exchange organization

• users in a non-federated Exchange organization

• users a non-Exchange mail service, such as Gmail

• publishing calendars to the internet


How are Sharing Policies applied?

Sharing Policies are assigned to mailboxes.

You can have multiple policies in an organization, but only one policy can be assigned to any given mailbox at a time.


What is Individual Sharing?

A name for the features controlled by a Sharing Policy.


How can a user publish their calendars online?

• Modify the Sharing Policy that is applied to the user's mailbox by adding a sharing rule for a specific domain called "Anonymous".

• Note, the Calendar virtual directory needs to be enabled on Client Access servers, and set to allow Anonymous Features. (It is by default.)

• Access is only over HTTP, so port 80 will also need to be opened from the internet to your Exchange server.


What is Cross-forest Availability?

• Allows calendar free/busy info lookups between NON-FEDERATED Exchange organizations.

• Does not involve the MFG.

• Can be used for both trusted and non-trusted AD forests.


For Cross-forest availability, what are the setup requirements regarding User accounts?

• Users and groups the in the source forest must be created as contacts in the target forest, so that they can be seen in the GAL.

• For temporary cross-forest availability setups, you can run a script to do this once.

• For ongoing setups, a GAL synchronization tool must be used so changes are always synced. Microsoft and third parties have tools available.


What does this stand for?


Global Address List


How is Cross-forest Availability controlled differently, between Trusted vs. Non-Trusted Forests?

Trusted Forests:

• Availability can be controlled on a per-user basis, because each request can be authenticated as coming from a specific user.

• Thus, Mailbox users can set different levels of calendar permissions for different users in the remote forest.

Non-trusted Forests:

• Availability is organization-wide only

• Only the "default" permissions entry on a calendar can be used to control the level of free/busy info accessible by users in the remote forest.


What are the Autodiscover Requirements for Cross-forest availability?

• For Trusted Forests:

– Either use the Autodiscover CNAME record, or:

– Export the Autodiscover SCP from one forest to another.

• For non-trusted forests,
only the Autodiscover CNAME can be used


What is Cloud Identity?

One of the Identity management models for Office 365.

Office 365 accounts are stored in Azure AD, and not integrated with any on-premises directory.

If any on-prem AD exists, it is separate and not integrated.


What is Directory Synchronization?

• One of the Identity management models for Office 365.

• The on-prem AD is the source of identity, and objects are synced to Azure AD via a directory synchronization tool.

• When cloud resources are accessed, authentication is performed by Azure AD.


What form of Identity Management is recommended for smaller organizations (1-50 users)?

Cloud Identity


What form of Identity Management is recommended for larger organizations (51 or more users)?

Directory Synchronization (either with or without ADFS)


What is Azure AD Connect?

The most recent name for Microsoft's directory synchronization tool.

Used for syncing objects, such as users, contacts, and groups, from an on-prem AD to Azure AD for use in Office 365.

Passwords can also optionally be synchronized using Password Sync.


What is Directory Synchronization with Federation?

One of the Identity management models for Office 365.

Based on Directory Synchronization, but the authentication for cloud resources isn't performed by Azure AD.

Instead, Office 365 passes the authentication requests to an on-prem ADFS instance.


What is ADFS?

Active Directory Federation Services

Usually deployed as a farm for high availability.


What are the pros and cons of using ADFS for Office 365 authentication?

Changes to authentication and policies are applied immediately instead of needing to be synced. It also allows for more restrictions.

However, it requires more on-prem servers and infrastructure.


What is a Hybrid Configuration?

• A coexistence between Exchange On-Premises and Exchange Online

• Can be used either as a migration method, or a permanent state of coexistence.

• Supported for Exchange 2010 or later


What are the benefits of a Hybrid Configuration?

If using both on-prem and Office 365 Exchange accounts, a Hybrid configuration allows for:

• Integrated administration via a single EAC interface

• All interaction between both systems is considered internal to the single organization.

• Mail flow between them is secured with TLS encryption, with internal message headers preserved.


What are the requirements for a Hybrid Configuration?

• Office 365 tenant with Exchange Online licenses

• Directory Synchronization, either with Password Sync, or with ADFS

• Firewall Access:
– TCP 443 for Autodiscover and Exchange Web Services
– TCP 25 for SMTP mail flow

• Certificates


In a Hybrid Configuration, what Exchange features depend on OAuth authentication if they are to work between Office 365 and on-prem Exchange?

• Message Records Management

• In-place Discovery

• In-place Archiving


What is Centralized Transport?

A Hybrid Configuration option

Enabling it means that all mail flow must pass through the on-prem Exchange servers.

Typically used for compliance requirements, such as journaling that is controlled on-prem.

In detail: Exchange Online mailboxes that send to internet recipients will not go directly to the internet, but be routed through the on-prem Exchange servers first.

If your MX record is pointing to Exchange Online and Centralized Transport is enabled, then also incoming messages for an Exchange Online recipient will be routed back to the on-prem Exchange first. (Though if your MX record points directly to on-prem Exchange, this step is no longer relevant.)